[Rule Tuning] Linux DR Tuning - 8 (#5505)

* [Rule Tuning] Linux DR Tuning - 8 * Revise investigation guide for THC tool downloads Updated investigation guide to reflect THC tool instead of SSH-IT worm. Enhanced description for clarity. * Update exfiltration_unusual_file_transfer_utility_launched.toml * Refine ESQL query for brute force malware detection Updated the query to include additional fields and modified the conditions for filtering events. --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
2026-01-08 10:01:11 +01:00
parent d968f62a5a
commit b13afcdeaa
19 changed files with 294 additions and 226 deletions
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/04/29"
-integration = ["endpoint", "crowdstrike"]
+integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/10/17"
+updated_date = "2025/12/19"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ actors have been seen utilizing curl to upload this archive file with the collec
 way while not inherently malicious should be considered highly abnormal and suspicious activity.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"]
+index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*",]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Data Exfiltration Through Curl"
@@ -102,14 +102,16 @@ tags = [
  "Data Source: Elastic Defend",
  "Resources: Investigation Guide",
  "Data Source: Crowdstrike",
+  "Data Source: SentinelOne"
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.name == "curl" and
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2", "start") and process.name == "curl" and
 ?process.parent.executable != null and (process.args in ("-F", "-T", "-d") or process.args like "--data*") and 
 process.command_line like~ ("*@/*.zip*", "*@/*.gz*", "*@/*.tgz*", "*b64=@*", "*=<*") and
-process.command_line like~ "*http*"
+process.command_line like~ "*http*" and
+not ?process.parent.executable == "/usr/share/untangle/bin/configuration-backup-upload-backup.sh"
 '''

 [[rule.threat]]
@@ -2,7 +2,7 @@
 creation_date = "2024/11/04"
 integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/19"

 [rule]
 author = ["Elastic"]
@@ -56,7 +56,7 @@ Data splitting utilities on Linux, such as `dd` and `split`, are typically used
 - Implement stricter access controls and monitoring on sensitive data directories to prevent unauthorized access and manipulation.
 - Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems are affected.
 - Enhance monitoring and alerting for similar suspicious activities by integrating additional threat intelligence sources and refining detection capabilities."""
-risk_score = 21
+risk_score = 47
 rule_id = "e302e6c3-448c-4243-8d9b-d41da70db582"
 setup = """## Setup

@@ -83,7 +83,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "low"
+severity = "medium"
 tags = [
    "Domain: Endpoint",
    "OS: Linux",
@@ -97,7 +97,6 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
  event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
@@ -116,7 +115,8 @@ process where host.os.type == "linux" and event.type == "start" and
    process.args like (
      "if=/tmp/nvim*", "if=/boot/*", "if=/dev/random", "if=/dev/urandom", "/dev/mapper/*",
      "if=*.iso", "of=/dev/stdout", "if=/dev/zero", "if=/dev/sda", "/proc/sys/kernel/*"
-    )
+    ) or
+    ?process.parent.args in ("/etc/init.d/apport", "/usr/bin/spectre-meltdown-checker")
  )
 '''

@@ -128,4 +128,3 @@ framework = "MITRE ATT&CK"
 id = "TA0010"
 name = "Exfiltration"
 reference = "https://attack.mitre.org/tactics/TA0010/"
-
@@ -2,7 +2,7 @@
 creation_date = "2025/02/21"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/09/02"
+updated_date = "2025/12/19"

 [rule]
 author = ["Elastic"]
@@ -15,13 +15,13 @@ from = "now-61m"
 interval = "1h"
 language = "esql"
 license = "Elastic License v2"
-name = "Unusual File Transfer Utility Launched"
+name = "File Transfer Utility Launched from Unusual Parent"
 note = """ ## Triage and analysis

 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

-### Investigating Unusual File Transfer Utility Launched
+### Investigating File Transfer Utility Launched from Unusual Parent

 File transfer utilities like scp, ftp, and rsync are essential for data movement in Linux environments. However, adversaries can exploit these tools to exfiltrate sensitive data. The detection rule identifies suspicious executions of these utilities by monitoring process activities, focusing on rare occurrences and unique agent IDs, which may indicate unauthorized data transfers. This helps in early detection of potential data breaches.

@@ -51,7 +51,7 @@ File transfer utilities like scp, ftp, and rsync are essential for data movement
 - Implement network monitoring to detect any further attempts of unauthorized file transfers or suspicious activities from the affected system.
 - Update and enhance endpoint detection and response (EDR) solutions to improve detection capabilities for similar threats in the future.
 """
-risk_score = 21
+risk_score = 47
 rule_id = "8eeeda11-dca6-4c3e-910f-7089db412d1c"
 setup = """## Setup

@@ -79,7 +79,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "low"
+severity = "medium"
 tags = [
    "Domain: Endpoint",
    "OS: Linux",
@@ -92,25 +92,74 @@ tags = [
 timestamp_override = "event.ingested"
 type = "esql"
 query = '''
-from logs-endpoint.events.process-*
-| keep @timestamp, host.os.type, event.type, event.action, process.name, process.executable, process.parent.executable, agent.id, host.name
+from logs-endpoint.events.process-* metadata _id, _index, _version
+| mv_expand event.action 
 | where
-    @timestamp > now() - 1 hours and
    host.os.type == "linux" and
    event.type == "start" and
    event.action == "exec" and
-    process.name in ("scp", "ftp", "sftp", "vsftpd", "sftp-server", "rsync")
+    process.name in ("scp", "ftp", "sftp", "vsftpd", "sftp-server", "rsync") and (
+        (process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")) or
+        (
+          process.parent.name like ".*" or
+          process.parent.name like "*.elf" or
+          process.parent.name like "*.sh" or
+          process.parent.name like "*.py" or
+          process.parent.name like "*.rb" or
+          process.parent.name like "*.pl" or
+          process.parent.name like "*.lua*" or
+          process.parent.name like "*.php*" or
+          process.parent.name like "*.js"
+        ) or
+        (
+          process.parent.executable like "/tmp/*" or
+          process.parent.executable like "/var/tmp/*" or
+          process.parent.executable like "/dev/shm/*" or
+          process.parent.executable like "./*" or
+          process.parent.executable like "/run/*" or
+          process.parent.executable like "/var/run/*" or
+          process.parent.executable like "/boot/*" or
+          process.parent.executable like "/sys/*" or
+          process.parent.executable like "/lost+found/*" or
+          process.parent.executable like "/proc/*" or
+          process.parent.executable like "/var/mail/*" or
+          process.parent.executable like "/var/www/*" or
+          process.parent.executable like "/home/*" or
+          process.parent.executable like "/root/*"
+        )
+    )
+
+| keep
+    @timestamp,
+    _id,
+    _index,
+    _version,
+    host.os.type,
+    event.type,
+    event.action,
+    process.name,
+    process.parent.name,
+    process.parent.executable,
+    process.executable,
+    agent.id,
+    host.name,
+    event.dataset,
+    data_stream.namespace
+
 | stats
    Esql.event_count = count(),
    Esql.agent_id_count_distinct = count_distinct(agent.id),
    Esql.host_name_values = values(host.name),
-    Esql.agent_id_values = values(agent.id)
+    Esql.agent_id_values = values(agent.id),
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace)
+
  by process.executable, process.parent.executable
+
 | where
    Esql.agent_id_count_distinct == 1 and
    Esql.event_count < 5
 | sort Esql.event_count asc
-| limit 100
 '''

 [[rule.threat]]
@@ -2,7 +2,7 @@
 creation_date = "2023/06/26"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/04"
+updated_date = "2025/12/19"

 [rule]
 author = ["Elastic"]
@@ -16,6 +16,40 @@ index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Data Encryption via OpenSSL Utility"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Suspicious Data Encryption via OpenSSL Utility
+
+OpenSSL is a widely-used command-line tool for secure data encryption and decryption. Adversaries may exploit OpenSSL to encrypt files rapidly across systems, aiming to disrupt data availability or demand ransom. The detection rule identifies suspicious OpenSSL usage by monitoring rapid file encryption activities, focusing on specific command patterns and excluding benign operations, thus highlighting potential malicious behavior.
+
+### Possible investigation steps
+
+- Review the process execution details on the host identified by host.id to confirm the presence of the openssl command and its associated arguments, ensuring they match the suspicious pattern specified in the query.
+- Examine the user.name associated with the process to determine if the activity aligns with expected behavior for that user or if it indicates potential unauthorized access.
+- Investigate the parent process identified by process.parent.entity_id to understand the context in which the openssl command was executed, checking for any unusual or unexpected parent processes.
+- Check for any recent file modifications or creations on the host that coincide with the time window of the alert to assess the impact of the encryption activity.
+- Look for additional related alerts or logs from the same host or user within a similar timeframe to identify any patterns or further suspicious activities that could indicate a broader attack.
+
+### False positive analysis
+
+- Legitimate batch encryption operations by system administrators or automated scripts may trigger the rule. To handle this, identify and whitelist specific scripts or user accounts that perform regular encryption tasks.
+- Backup processes that use OpenSSL for encrypting data before storage can be mistaken for malicious activity. Exclude known backup processes by specifying their parent process names or paths.
+- Developers or security teams testing encryption functionalities might inadvertently match the rule's criteria. Create exceptions for development environments or specific user accounts involved in testing.
+- Automated data transfer services that encrypt files for secure transmission could be flagged. Identify these services and exclude their associated processes or user accounts from the rule.
+- Regularly review and update the exclusion list to ensure it reflects current operational practices and does not inadvertently allow malicious activities.
+
+### Response and remediation
+
+- Immediately isolate the affected host from the network to prevent further spread of the encryption activity and potential lateral movement by the adversary.
+- Terminate any suspicious OpenSSL processes identified on the host to halt ongoing encryption activities.
+- Conduct a forensic analysis of the affected host to identify the scope of the encryption, including which files were encrypted and any potential data exfiltration.
+- Restore encrypted files from the most recent clean backup to ensure data availability and integrity, ensuring that the backup is free from any malicious alterations.
+- Change all credentials and keys that may have been exposed or used on the affected host to prevent unauthorized access.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.
+- Implement enhanced monitoring and logging for OpenSSL usage across the network to detect and respond to similar threats more effectively in the future."""
 references = [
    "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/",
    "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html",
@@ -57,7 +91,6 @@ tags = [
    "Resources: Investigation Guide",
 ]
 type = "eql"
-
 query = '''
 sequence by host.id, user.name, process.parent.entity_id with maxspan=5s
  [ process where host.os.type == "linux" and event.action == "exec" and
@@ -65,54 +98,20 @@ sequence by host.id, user.name, process.parent.entity_id with maxspan=5s
    process.args == "-in" and process.args == "-out" and
    process.args in ("-k", "-K", "-kfile", "-pass", "-iv", "-md") and
    /* excluding base64 encoding options and including encryption password or key params */
-    not process.args in ("-d", "-a", "-A", "-base64", "-none", "-nosalt") ] with runs=10
+    not process.args in ("-d", "-a", "-A", "-base64", "-none", "-nosalt") and
+    not (process.parent.command_line == "bash -s" and process.args like "/root/recipes/recipes*")
+  ] with runs=10
 '''
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Suspicious Data Encryption via OpenSSL Utility
-
-OpenSSL is a widely-used command-line tool for secure data encryption and decryption. Adversaries may exploit OpenSSL to encrypt files rapidly across systems, aiming to disrupt data availability or demand ransom. The detection rule identifies suspicious OpenSSL usage by monitoring rapid file encryption activities, focusing on specific command patterns and excluding benign operations, thus highlighting potential malicious behavior.
-
-### Possible investigation steps
-
- Review the process execution details on the host identified by host.id to confirm the presence of the openssl command and its associated arguments, ensuring they match the suspicious pattern specified in the query.
- Examine the user.name associated with the process to determine if the activity aligns with expected behavior for that user or if it indicates potential unauthorized access.
- Investigate the parent process identified by process.parent.entity_id to understand the context in which the openssl command was executed, checking for any unusual or unexpected parent processes.
- Check for any recent file modifications or creations on the host that coincide with the time window of the alert to assess the impact of the encryption activity.
- Look for additional related alerts or logs from the same host or user within a similar timeframe to identify any patterns or further suspicious activities that could indicate a broader attack.
-
-### False positive analysis
-
- Legitimate batch encryption operations by system administrators or automated scripts may trigger the rule. To handle this, identify and whitelist specific scripts or user accounts that perform regular encryption tasks.
- Backup processes that use OpenSSL for encrypting data before storage can be mistaken for malicious activity. Exclude known backup processes by specifying their parent process names or paths.
- Developers or security teams testing encryption functionalities might inadvertently match the rule's criteria. Create exceptions for development environments or specific user accounts involved in testing.
- Automated data transfer services that encrypt files for secure transmission could be flagged. Identify these services and exclude their associated processes or user accounts from the rule.
- Regularly review and update the exclusion list to ensure it reflects current operational practices and does not inadvertently allow malicious activities.
-
-### Response and remediation
-
- Immediately isolate the affected host from the network to prevent further spread of the encryption activity and potential lateral movement by the adversary.
- Terminate any suspicious OpenSSL processes identified on the host to halt ongoing encryption activities.
- Conduct a forensic analysis of the affected host to identify the scope of the encryption, including which files were encrypted and any potential data exfiltration.
- Restore encrypted files from the most recent clean backup to ensure data availability and integrity, ensuring that the backup is free from any malicious alterations.
- Change all credentials and keys that may have been exposed or used on the affected host to prevent unauthorized access.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.
- Implement enhanced monitoring and logging for OpenSSL usage across the network to detect and respond to similar threats more effectively in the future."""
-

 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1486"
 name = "Data Encrypted for Impact"
 reference = "https://attack.mitre.org/techniques/T1486/"

-
 [rule.threat.tactic]
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
-
@@ -2,7 +2,7 @@
 creation_date = "2023/04/11"
 integration = ["endpoint", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/10/17"
+updated_date = "2025/12/19"

 [rule]
 author = ["Elastic"]
@@ -17,54 +17,6 @@ index = ["endgame-*", "logs-endpoint.events.process*", "logs-crowdstrike.fdr*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Termination of ESXI Process"
-references = [
-    "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/",
-]
-risk_score = 47
-rule_id = "6641a5af-fb7e-487a-adc4-9e6503365318"
-setup = """## Setup
-
-This rule requires data coming in from Elastic Defend.
-
-### Elastic Defend Integration Setup
-Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
-
-#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
-
-#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
-For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
-For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
-"""
-severity = "medium"
-tags = [
-  "Domain: Endpoint",
-  "OS: Linux",
-  "Use Case: Threat Detection",
-  "Tactic: Impact",
-  "Data Source: Elastic Defend",
-  "Data Source: Elastic Endgame",
-  "Resources: Investigation Guide",
-  "Data Source: Crowdstrike",
-]
-timestamp_override = "event.ingested"
-type = "eql"
-
-query = '''
-process where host.os.type == "linux" and event.type == "end" and process.name in ("vmware-vmx", "vmx")
-and process.parent.name == "kill"
-'''
 note = """## Triage and analysis

 > **Disclaimer**:
@@ -99,18 +51,63 @@ VMware ESXi is a hypervisor used to create and manage virtual machines on a host
 - Review and update access controls and permissions on the affected host to ensure that only authorized personnel can execute critical commands like "kill" on VMware processes.
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign.
 - Implement enhanced monitoring and alerting for similar suspicious activities across the virtualized infrastructure to detect and respond to future threats more effectively."""
+references = [
+    "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/",
+]
+risk_score = 73
+rule_id = "6641a5af-fb7e-487a-adc4-9e6503365318"
+setup = """## Setup

+This rule requires data coming in from Elastic Defend.
+
+### Elastic Defend Integration Setup
+Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
+
+#### Prerequisite Requirements:
+- Fleet is required for Elastic Defend.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+
+#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
+- Go to the Kibana home page and click "Add integrations".
+- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
+- Click "Add Elastic Defend".
+- Configure the integration name and optionally add a description.
+- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
+- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
+- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
+- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
+For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
+- Click "Save and Continue".
+- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
+For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+"""
+severity = "high"
+tags = [
+  "Domain: Endpoint",
+  "OS: Linux",
+  "Use Case: Threat Detection",
+  "Tactic: Impact",
+  "Data Source: Elastic Defend",
+  "Data Source: Elastic Endgame",
+  "Resources: Investigation Guide",
+  "Data Source: Crowdstrike",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type == "linux" and event.type == "end" and process.name in ("vmware-vmx", "vmx")
+and process.parent.name == "kill"
+'''

 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1489"
 name = "Service Stop"
 reference = "https://attack.mitre.org/techniques/T1489/"

-
 [rule.threat.tactic]
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
-
@@ -2,7 +2,7 @@
 creation_date = "2024/11/04"
 integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/10/17"
+updated_date = "2025/12/19"

 [rule]
 author = ["Elastic"]
@@ -51,7 +51,7 @@ Memory swap in Linux systems manages RAM by moving inactive pages to disk, freei
 - Implement monitoring for any further unauthorized changes to swap settings or related processes to detect and respond to similar threats promptly.
 - Escalate the incident to the security operations team for a detailed forensic analysis to understand the scope and origin of the attack.
 - Update system and security patches to close any vulnerabilities that may have been exploited by the adversary."""
-risk_score = 21
+risk_score = 47
 rule_id = "5e4023e7-6357-4061-ae1c-9df33e78c674"
 setup = """## Setup

@@ -80,7 +80,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g

 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "low"
+severity = "medium"
 tags = [
  "Domain: Endpoint",
  "OS: Linux",
@@ -95,7 +95,6 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
 ?process.parent.executable != null and
@@ -108,37 +107,39 @@ process.name in ("swapon", "swapoff") or (
    )
  )
 ) and
-not process.parent.name in ("lynis", "systemd", "end-zram-swapping", "SyxsenseResponder", "tuned", "platform-python", "timeout")
+not (
+  process.parent.name in ("lynis", "systemd", "end-zram-swapping", "SyxsenseResponder", "tuned", "platform-python", "timeout") or
+  ?process.parent.executable in ("/opt/puppetlabs/puppet/bin/ruby", "/u01/app/grid/perl/bin/perl")
+)
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1496"
 name = "Resource Hijacking"
 reference = "https://attack.mitre.org/techniques/T1496/"

-
 [rule.threat.tactic]
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1059"
 name = "Command and Scripting Interpreter"
 reference = "https://attack.mitre.org/techniques/T1059/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1059.004"
 name = "Unix Shell"
 reference = "https://attack.mitre.org/techniques/T1059/004/"

-
-
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-
@@ -2,7 +2,7 @@
 creation_date = "2025/02/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/09/02"
+updated_date = "2025/12/19"

 [rule]
 author = ["Elastic"]
@@ -96,10 +96,11 @@ tags = [
 timestamp_override = "event.ingested"
 type = "esql"
 query = '''
-from logs-endpoint.events.network-*
-| keep @timestamp, host.os.type, event.type, event.action, destination.port, process.executable, destination.ip, agent.id, host.name
+from logs-endpoint.events.network-* metadata _id, _index, _version
+
+| mv_expand event.action 
+
 | where
-    @timestamp > now() - 1 hours and
    host.os.type == "linux" and
    event.type == "start" and
    event.action == "connection_attempted" and
@@ -116,21 +117,42 @@ from logs-endpoint.events.network-*
      ) or
      process.executable in (
        "/usr/bin/rclone", "/usr/bin/sss_ssh_knownhostsproxy", "/usr/sbin/sshd", "/usr/bin/ssh",
-        "/usr/local/bin/php", "/usr/sbin/apache2", "/usr/sbin/nginx", "/usr/local/bin/argocd-repo-server"
+        "/usr/local/bin/php", "/usr/sbin/apache2", "/usr/sbin/nginx", "/usr/local/bin/argocd-repo-server",
+        "/opt/nessus/sbin/nessusd", "/usr/local/bin/source-controller"
      ) or
      process.executable like "/usr/local/efax/*"
    )
+
+| keep
+    @timestamp,
+    _id,
+    _index,
+    _version,
+    host.os.type,
+    event.type,
+    event.action,
+    destination.port,
+    destination.ip,
+    process.executable,
+    agent.id,
+    host.name,
+    event.dataset,
+    data_stream.namespace
+
 | stats
    Esql.event_count = count(),
    Esql.agent_id_count_distinct = count_distinct(agent.id),
    Esql.host_name_values = values(host.name),
-    Esql.agent_id_values = values(agent.id)
+    Esql.agent_id_values = values(agent.id),
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace)
+
  by process.executable, destination.port
+
 | where
    Esql.agent_id_count_distinct == 1 and
-    Esql.event_count > 15
+    Esql.event_count >= 100
 | sort Esql.event_count asc
-| limit 100
 '''

 [[rule.threat]]
@@ -2,7 +2,7 @@
 creation_date = "2023/03/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/04"
+updated_date = "2025/12/19"

 [rule]
 author = ["Elastic"]
@@ -62,11 +62,14 @@ sequence by process.entity_id, host.id with maxspan=1s
   file.path : (
     "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", "/var/log/*", "/var/lib/log/*",
     "/var/backup/*", "/var/www/*") and
-   not process.name : (
-     "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d",
-     "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git",
-     "systemsettings", "vmis-launcher", "bundle", "kudu-tserver", "suldownloader", "rustup-init", "bun"
-    )
+   not (
+     process.name : (
+       "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d",
+       "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git",
+       "systemsettings", "vmis-launcher", "bundle", "kudu-tserver", "suldownloader", "rustup-init", "bun"
+     ) or
+     process.executable in ("./runc", "./usr/bin/qemu-aarch64")
+   )
  ] with runs=25
  [file where host.os.type == "linux" and event.action == "creation" and
   file.name : ("*restore*", "*lock*", "*recovery*", "*read*", "*instruction*", "*how_to*", "*ransom*")
@@ -2,7 +2,7 @@
 creation_date = "2022/07/27"
 integration = ["endpoint", "auditd_manager", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/10/17"
+updated_date = "2025/12/19"

 [rule]
 author = ["Elastic"]
@@ -86,26 +86,27 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "threshold"
-
 query = '''
-event.category:process and host.os.type:linux and event.type:start and process.name:"pkill" and process.args:"-f"
+event.category:process and host.os.type:linux and event.type:start and (
+  (process.name:"pkill" and process.args:"-f") or
+  (process.name:kill and process.args:"-9") or
+  (process.name:killall)
+)
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1489"
 name = "Service Stop"
 reference = "https://attack.mitre.org/techniques/T1489/"

-
 [rule.threat.tactic]
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"

 [rule.threshold]
-field = ["host.id", "process.executable", "user.name"]
-value = 10
-
+field = ["agent.id", "process.executable", "user.name"]
+value = 15
@@ -2,13 +2,13 @@
 creation_date = "2025/02/21"
 integration = ["system"]
 maturity = "production"
-updated_date = "2025/09/09"
+updated_date = "2025/12/19"

 [rule]
 author = ["Elastic"]
 description = """
 This rule leverages the new_terms rule type to detect successful SSH authentications via a public
-key that has not been seen in the last 10 days. Public key authentication is a secure method for
+key that has not been seen in the last 5 days. Public key authentication is a secure method for
 authenticating users to a server. Monitoring unusual public key authentication events can help
 detect unauthorized access attempts or suspicious activity on the system.
 """
@@ -115,4 +115,4 @@ value = ["system.auth.ssh.signature"]

 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-10d"
+value = "now-5d"
@@ -2,13 +2,13 @@
 creation_date = "2025/02/21"
 integration = ["system"]
 maturity = "production"
-updated_date = "2025/04/07"
+updated_date = "2025/12/19"

 [rule]
 author = ["Elastic"]
 description = """
 This rule leverages the new_terms rule type to detect successful SSH authentications by an IP-
-address that has not been authenticated in the last 10 days. This behavior may indicate an
+address that has not been authenticated in the last 5 days. This behavior may indicate an
 attacker attempting to gain access to the system using a valid account.
 """
 from = "now-9m"
@@ -108,4 +108,4 @@ value = ["related.ip"]

 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-10d"
+value = "now-5d"
@@ -2,13 +2,13 @@
 creation_date = "2025/02/21"
 integration = ["system"]
 maturity = "production"
-updated_date = "2025/04/07"
+updated_date = "2025/12/19"

 [rule]
 author = ["Elastic"]
 description = """
 This rule leverages the new_terms rule type to detect successful SSH authentications by a user
-who has not been authenticated in the last 10 days. This behavior may indicate an attacker
+who has not been authenticated in the last 5 days. This behavior may indicate an attacker
 attempting to gain access to the system using a valid account.
 """
 false_positives = [
@@ -92,4 +92,4 @@ value = ["related.user"]

 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-10d"
+value = "now-5d"
@@ -2,7 +2,7 @@
 creation_date = "2025/06/17"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/07/07"
+updated_date = "2025/12/19"

 [rule]
 author = ["Elastic"]
@@ -110,8 +110,12 @@ file where host.os.type == "linux" and event.type != "deletion" and file.path li
  "/etc/kubernetes/scheduler.conf",
  "/var/lib/*/kubeconfig"
 ) and not (
-  process.name in ("kubeadm", "kubelet", "vcluster", "minikube") or
-  (process.name == "sed" and file.Ext.original.name like "sed*")
+  process.name in ("kubeadm", "kubelet", "vcluster", "minikube", "kind") or
+  (process.name == "sed" and file.Ext.original.name like "sed*") or
+  process.executable like (
+    "/usr/local/bin/k3d", "/usr/local/aws-cli/*/dist/aws", "/usr/local/bin/ks", "/usr/local/bin/aws",
+    "/usr/local/bin/kubectl"
+  )
 )
 '''

@@ -2,7 +2,7 @@
 creation_date = "2025/02/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/11/12"
+updated_date = "2025/12/19"

 [rule]
 author = ["Elastic"]
@@ -134,8 +134,8 @@ reference = "https://attack.mitre.org/tactics/TA0008/"

 [rule.new_terms]
 field = "new_terms_fields"
-value = ["process.executable", "host.id"]
+value = ["process.executable", "agent.id"]

 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-7d"
+value = "now-5d"
@@ -2,7 +2,7 @@
 creation_date = "2023/09/21"
 integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/19"

 [rule]
 author = ["Elastic"]
@@ -21,15 +21,15 @@ index = [
 ]
 language = "eql"
 license = "Elastic License v2"
-name = "Potential SSH-IT SSH Worm Downloaded"
+name = "Potential THC Tool Downloaded"
 note = """## Triage and analysis

 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

-### Investigating Potential SSH-IT SSH Worm Downloaded
+### Investigating Potential THC Tool Downloaded

-SSH-IT is an autonomous worm that exploits SSH connections to propagate across networks. It hijacks outgoing SSH sessions, allowing adversaries to move laterally within a compromised environment. Attackers often use tools like curl or wget to download the worm from specific URLs. The detection rule identifies these download attempts by monitoring process activities on Linux systems, focusing on command-line arguments that match known malicious URLs, thereby alerting security teams to potential threats.
+The Hacker's Choice is a suite of hacker tools that are frequently used by threat actors. One common tool is SSH-IT, which is an autonomous worm that exploits SSH connections to propagate across networks. It hijacks outgoing SSH sessions, allowing adversaries to move laterally within a compromised environment. Attackers often use tools like curl or wget to download the worm from specific URLs. The detection rule identifies these download attempts by monitoring process activities on Linux systems, focusing on command-line arguments that match known malicious URLs, thereby alerting security teams to potential threats.

 ### Possible investigation steps

@@ -57,7 +57,7 @@ SSH-IT is an autonomous worm that exploits SSH connections to propagate across n
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 - Update firewall and intrusion detection/prevention system (IDS/IPS) rules to block the known malicious URLs and monitor for any future attempts to access them."""
 references = ["https://www.thc.org/ssh-it/"]
-risk_score = 47
+risk_score = 73
 rule_id = "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea"
 setup = """## Setup

@@ -85,7 +85,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "medium"
+severity = "high"
 tags = [
    "Domain: Endpoint",
    "OS: Linux",
@@ -100,42 +100,38 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
 event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
 process.name in ("curl", "wget") and process.args : (
-  "https://thc.org/ssh-it/x", "http://nossl.segfault.net/ssh-it-deploy.sh", "https://gsocket.io/x",
-  "https://thc.org/ssh-it/bs", "http://nossl.segfault.net/bs"
+  "https://github.com/hackerschoice/*", "https://thc.org/*", "http://nossl.segfault.net/*", "https://gsocket.io/*"
 )
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1021"
 name = "Remote Services"
 reference = "https://attack.mitre.org/techniques/T1021/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1021.004"
 name = "SSH"
 reference = "https://attack.mitre.org/techniques/T1021/004/"

-
 [[rule.threat.technique]]
 id = "T1563"
 name = "Remote Service Session Hijacking"
 reference = "https://attack.mitre.org/techniques/T1563/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1563.001"
 name = "SSH Hijacking"
 reference = "https://attack.mitre.org/techniques/T1563/001/"

-
-
 [rule.threat.tactic]
 id = "TA0008"
 name = "Lateral Movement"
 reference = "https://attack.mitre.org/tactics/TA0008/"
-
@@ -2,7 +2,7 @@
 creation_date = "2025/03/12"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/03/12"
+updated_date = "2025/12/19"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,41 @@ from = "now-9m"
 index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
-name = "SSH Process Launched From Inside A Container"
+name = "Deprecated - SSH Process Launched From Inside A Container"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Deprecated - SSH Process Launched From Inside A Container
+
+SSH (Secure Shell) is a protocol used for secure remote access and management of systems. Within container environments, SSH usage is atypical and can signal potential security risks. Adversaries may exploit SSH to move laterally between containers or escape to the host system. The detection rule identifies SSH processes initiated within containers, flagging potential unauthorized access or persistence attempts by monitoring process events and container identifiers.
+
+### Possible investigation steps
+
+- Examine the process start event details, including the process name (sshd, ssh, autossh) and event actions (fork, exec), to understand the context and nature of the SSH activity.
+- Check for any recent changes or deployments related to the container to identify if the SSH process aligns with expected behavior or recent updates.
+- Investigate the source and destination of the SSH connection to determine if it involves unauthorized or suspicious endpoints, potentially indicating lateral movement or an attempt to access the host system.
+- Analyze user accounts and credentials used in the SSH session to verify if they are legitimate and authorized for container access, looking for signs of compromised credentials.
+- Correlate the SSH activity with other security events or alerts to identify patterns or additional indicators of compromise within the container environment.
+
+### False positive analysis
+
+- Development and testing environments may intentionally use SSH for debugging or administrative tasks. Users can create exceptions for specific container IDs or hostnames associated with these environments to reduce noise.
+- Automated scripts or orchestration tools might use SSH to manage containers. Identify these tools and exclude their process IDs or user accounts from triggering the rule.
+- Some legacy applications might rely on SSH for internal communication. Review these applications and whitelist their specific process names or container images to prevent false alerts.
+- Containers running SSH for legitimate remote access purposes, such as maintenance, should be documented. Exclude these containers by their unique identifiers or labels to avoid unnecessary alerts.
+- Regularly review and update the exclusion list to ensure it aligns with current operational practices and does not inadvertently allow malicious activity.
+
+### Response and remediation
+
+- Immediately isolate the affected container to prevent potential lateral movement or further unauthorized access. This can be done by stopping the container or disconnecting it from the network.
+- Conduct a thorough review of the container's logs and environment to identify any unauthorized access or changes. Pay special attention to SSH-related logs and any anomalies in user activity.
+- Revoke any SSH keys or credentials that may have been compromised. Ensure that all SSH keys used within the container environment are rotated and that access is restricted to only necessary personnel.
+- Assess the container image and configuration for vulnerabilities or misconfigurations that may have allowed the SSH process to be initiated. Patch any identified vulnerabilities and update the container image accordingly.
+- Implement network segmentation to limit the ability of containers to communicate with each other and the host system, reducing the risk of lateral movement.
+- Enhance monitoring and alerting for SSH activity within container environments to ensure rapid detection of similar threats in the future. This includes setting up alerts for any SSH process initiation within containers.
+- Escalate the incident to the security operations team for further investigation and to determine if additional systems or containers have been affected."""
 references = [
    "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/",
    "https://www.blackhillsinfosec.com/sshazam-hide-your-c2-inside-of-ssh/",
@@ -71,40 +105,6 @@ query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
 process.entry_leader.entry_meta.type == "container" and process.name in ("sshd", "ssh", "autossh")
 '''
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating SSH Process Launched From Inside A Container
-
-SSH (Secure Shell) is a protocol used for secure remote access and management of systems. Within container environments, SSH usage is atypical and can signal potential security risks. Adversaries may exploit SSH to move laterally between containers or escape to the host system. The detection rule identifies SSH processes initiated within containers, flagging potential unauthorized access or persistence attempts by monitoring process events and container identifiers.
-
-### Possible investigation steps
-
- Examine the process start event details, including the process name (sshd, ssh, autossh) and event actions (fork, exec), to understand the context and nature of the SSH activity.
- Check for any recent changes or deployments related to the container to identify if the SSH process aligns with expected behavior or recent updates.
- Investigate the source and destination of the SSH connection to determine if it involves unauthorized or suspicious endpoints, potentially indicating lateral movement or an attempt to access the host system.
- Analyze user accounts and credentials used in the SSH session to verify if they are legitimate and authorized for container access, looking for signs of compromised credentials.
- Correlate the SSH activity with other security events or alerts to identify patterns or additional indicators of compromise within the container environment.
-
-### False positive analysis
-
- Development and testing environments may intentionally use SSH for debugging or administrative tasks. Users can create exceptions for specific container IDs or hostnames associated with these environments to reduce noise.
- Automated scripts or orchestration tools might use SSH to manage containers. Identify these tools and exclude their process IDs or user accounts from triggering the rule.
- Some legacy applications might rely on SSH for internal communication. Review these applications and whitelist their specific process names or container images to prevent false alerts.
- Containers running SSH for legitimate remote access purposes, such as maintenance, should be documented. Exclude these containers by their unique identifiers or labels to avoid unnecessary alerts.
- Regularly review and update the exclusion list to ensure it aligns with current operational practices and does not inadvertently allow malicious activity.
-
-### Response and remediation
-
- Immediately isolate the affected container to prevent potential lateral movement or further unauthorized access. This can be done by stopping the container or disconnecting it from the network.
- Conduct a thorough review of the container's logs and environment to identify any unauthorized access or changes. Pay special attention to SSH-related logs and any anomalies in user activity.
- Revoke any SSH keys or credentials that may have been compromised. Ensure that all SSH keys used within the container environment are rotated and that access is restricted to only necessary personnel.
- Assess the container image and configuration for vulnerabilities or misconfigurations that may have allowed the SSH process to be initiated. Patch any identified vulnerabilities and update the container image accordingly.
- Implement network segmentation to limit the ability of containers to communicate with each other and the host system, reducing the risk of lateral movement.
- Enhance monitoring and alerting for SSH activity within container environments to ensure rapid detection of similar threats in the future. This includes setting up alerts for any SSH process initiation within containers.
- Escalate the incident to the security operations team for further investigation and to determine if additional systems or containers have been affected."""

 [[rule.threat]]
 framework = "MITRE ATT&CK"
@@ -2,7 +2,7 @@
 creation_date = "2020/04/23"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/19"

 [rule]
 author = ["Elastic"]
@@ -108,10 +108,9 @@ tags = [
    "Resources: Investigation Guide",
 ]
 type = "eql"
-
 query = '''
 sequence by process.entity_id
-  [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"]
+  [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start") and process.name == "telnet"]
  [network where host.os.type == "linux" and process.name == "telnet" and not cidrmatch(
     destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
     "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
@@ -122,17 +121,15 @@ sequence by process.entity_id
  ]
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1021"
 name = "Remote Services"
 reference = "https://attack.mitre.org/techniques/T1021/"

-
 [rule.threat.tactic]
 id = "TA0008"
 name = "Lateral Movement"
 reference = "https://attack.mitre.org/tactics/TA0008/"
-
@@ -2,7 +2,7 @@
 creation_date = "2020/04/23"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/19"

 [rule]
 author = ["Elastic"]
@@ -109,10 +109,9 @@ tags = [
    "Resources: Investigation Guide",
 ]
 type = "eql"
-
 query = '''
 sequence by process.entity_id
-  [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"]
+  [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start") and process.name == "telnet"]
  [network where host.os.type == "linux" and process.name == "telnet" and cidrmatch(
     destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
     "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
@@ -123,17 +122,15 @@ sequence by process.entity_id
  ]
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1021"
 name = "Remote Services"
 reference = "https://attack.mitre.org/techniques/T1021/"

-
 [rule.threat.tactic]
 id = "TA0008"
 name = "Lateral Movement"
 reference = "https://attack.mitre.org/tactics/TA0008/"
-
@@ -2,7 +2,7 @@
 creation_date = "2025/02/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/09/29"
+updated_date = "2025/12/19"

 [rule]
 author = ["Elastic"]
@@ -111,7 +111,8 @@ not (
    /dev/ptmx or /run/* or /var/run/* or /home/*/.ansible/*AnsiballZ_*.py or /home/*/.ansible/tmp/ansible-tmp* or
    /root/.ansible/*AnsiballZ_*.py or /tmp/ansible-chief/ansible-tmp*AnsiballZ_*.py or
    /tmp/newroot/home/*/.ansible/tmp/ansible-tmp*AnsiballZ_*.py or /tmp/.ansible/tmp/ansible-tmp*AnsiballZ_*.py or
-    /tmp/ansible-tmp-*/AnsiballZ_*.py or /tmp/.ansible/ansible-tmp-*AnsiballZ_*.py
+    /tmp/ansible-tmp-*/AnsiballZ_*.py or /tmp/.ansible/ansible-tmp-*AnsiballZ_*.py or /var/tmp/ansible-tmp-* or
+    /tmp/.ansible/ansible-tmp-*/.source or /root/.ansible/tmp/ansible-tmp-*/.source
  ) or
  file.extension:(filepart or yaml or new or rpm or deb)
 )
@@ -141,8 +142,8 @@ reference = "https://attack.mitre.org/tactics/TA0008/"

 [rule.new_terms]
 field = "new_terms_fields"
-value = ["process.executable", "host.id"]
+value = ["process.executable", "agent.id"]

 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-10d"
+value = "now-5d"